[Federation][kubefed] Add option to expose federation apiserver on nodeport service #40516
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-github-robot
added
size/L
shashidharatd
force-pushed
the
kubefed-1
branch
from
1759712
to
b33f09c
Compare
There was a problem hiding this comment.
This is helpful, thank you!
Is there an issue that this is targeting? I think it may be problematic to be submitting code without a clear relationship to a documented/discussed use-case or bug since otherwise it may not be obvious to reviewers whether the solution is appropriate.
Is your intent to ensure that kubefed init can complete without error in a non-cloud environment or ensure that it can deploy a working control plane? If the latter, there is a piece missing: dnsaas configuration.
The controller manager depends on cloud auth credentials being available in the container, and that won't be true for non-cloud. Here's what I needed to do to get google dns working after kubefed had deployed the control plane to a local cluster:
- create a service account with the "Compute Network User" role as per the google instructions and download the resulting json auth file
- create a secret in the federation namespace from the auth file
- edit the controller manager deployment template to include:
- a volume for the secret
- a mount for the secret volume
- an env definition for
GOOGLE_APPLICATION_CREDENTIALSthat pointed to the mounted file- setting
--dns-provider-configresulted in the controller manager complaining about invalid configuration. It didn't seem to expect json.
- setting
A similar procedure would likely be required for route 53 running outside of aws. I think kubefed should ensure that for non-cloud the control manager can be configured properly for the chosen dns provider (likely by accepting a file containing the appropriate credentials and configuring the controller manager deployment accordingly) and/or that dns can be optionally disabled (e.g. --dns-provider=none). This seems orthogonal to the issue of api accessibility, though, so it may make sense to reduce the scope of this PR (e.g. 'Ensure kubefed init can complete successfully on non-cloud') rather than trying to do it all here.
federation/pkg/kubefed/util/util.go
Outdated
| @@ -150,3 +156,57 @@ func CreateKubeconfigSecret(clientset *client.Clientset, kubeconfig *clientcmdap | |||
| } | |||
| return secret, nil | |||
| } | |||
|
|
|||
| func WaitForLoadBalancerAddress(clientset *client.Clientset, svc *api.Service) ([]string, []string, error) { | |||
There was a problem hiding this comment.
(No action required) No tests for either of these functions (and hence no test changes required).
federation/pkg/kubefed/init/init.go
Outdated
| @@ -62,8 +62,7 @@ const ( | |||
| AdminCN = "admin" | |||
| HostClusterLocalDNSZoneName = "cluster.local." | |||
|
|
|||
| lbAddrRetryInterval = 5 * time.Second | |||
| podWaitInterval = 2 * time.Second | |||
| apiserverHealthCheckInterval = 2 * time.Second | |||
There was a problem hiding this comment.
Nit: Consider using apiServer instead of apiserver for consistency.
federation/pkg/kubefed/init/init.go
Outdated
| @@ -485,6 +507,21 @@ func createAPIServer(clientset *client.Clientset, namespace, name, image, creden | |||
| return dep, nil | |||
| } | |||
|
|
|||
| if !cloudEnvironment { | |||
There was a problem hiding this comment.
Defining pvc config in the spec and then removing it here if necessary may complicate future maintenance. Consider excluding the pvc configuration from the spec and adding it in this block instead.
There was a problem hiding this comment.
Shouldn't pvc be optional rather than simply disabled for non-cloud? I'm pretty sure non-cloud deployments will still require persistent storage.
There was a problem hiding this comment.
totally agree with you. I was reluctant to introduce new flags. what you are bringing is more variety of use cases and thanks for the review.
federation/pkg/kubefed/init/init.go
Outdated
| @@ -386,7 +408,7 @@ func createPVC(clientset *client.Clientset, namespace, svcName, etcdPVCapacity s | |||
| return clientset.Core().PersistentVolumeClaims(namespace).Create(pvc) | |||
| } | |||
|
|
|||
| func createAPIServer(clientset *client.Clientset, namespace, name, image, credentialsName, pvcName, advertiseAddress, storageBackend string, dryRun bool) (*extensions.Deployment, error) { | |||
| func createAPIServer(clientset *client.Clientset, namespace, name, image, credentialsName, pvcName, advertiseAddress, storageBackend string, dryRun bool, cloudEnvironment bool) (*extensions.Deployment, error) { | |||
There was a problem hiding this comment.
Modifying existing code without a test change is an anti-pattern. Please add a test case that validates the existing behavior and then another that ensures the new behavior works as expected.
There was a problem hiding this comment.
Agree, will add a testcase
federation/pkg/kubefed/util/util.go
Outdated
| @@ -210,3 +210,26 @@ func WaitForPods(clientset *client.Clientset, pods []string, namespace string) e | |||
| }) | |||
| return err | |||
| } | |||
|
|
|||
| func GetFirstNodeIP(clientset *client.Clientset) ([]string, error) { | |||
There was a problem hiding this comment.
This function seems like something that might exist elsewhere in the codebase. Have you looked for and not found an existing implementation?
If this function is required, please ensure it is tested. It may be helpful to break the function apart to avoid having to mock the client (i.e. focus on testing a function that accepts a NodeList and returns the first address).
There was a problem hiding this comment.
oops, sorry i should have checked. at first it seemed simply straight forward. I should be reusing this function GetPreferredNodeAddress. Thanks for pointing this issue.
|
@marun, Firstly I apologize for my non-standard way of working. I happened to discuss this off-line with @madhusudancs few days back to enable users to deploy federation on non-cloud environments and we felt it is one of important thing to be done. This PR was targeted towards enabling federation control plane to be brought up in non-cloud environments to experience the features of federation and yes, as you rightly pointed out, we need to configure dns-provider using I would create an issue and link these PR to the issue. |
shashidharatd
changed the title
federation/pkg/kubefed/init/init.go
Outdated
| if cloudEnvironment { | ||
| ips, hostnames, err = util.WaitForLoadBalancerAddress(hostClientset, svc) | ||
| } else { | ||
| ips, err = util.GetFirstNodeIP(hostClientset) |
There was a problem hiding this comment.
Would be preferable to have this ip be configurable and not only auto-magically devined. There are use cases where you might have more than 1 "external" ip and need to provide the specific one for this service.
There was a problem hiding this comment.
Shall we achieve this in subsequent PR?
There was a problem hiding this comment.
IMO it falls under the umbrella of this change and isn't too much more work on top of what you already have. I don't feel too strongly about doing to in this PR vs a different one, although if multiple flags is to be used (later comment) then is makes sense to all this flag with those.
There was a problem hiding this comment.
Maybe move discussion to #39271 as per @madhusudancs?
|
I wonder whether specific options would be preferable to a As per an inline comment, I think enabling PVC could be a separate flag (e.g. |
|
@marun +1 to multiple flags. You can have them default to cloud services, but using multiple flags gives most flexibility and functionality. |
|
@shashidharatd I'm not authoritative here, I'm just fomenting discussion. I think one or more of the experienced federation contributors should have the final say and I recommend waiting on their input before you proceed. |
|
Note, although it looks similar, this PR and PR #40528 aren't exactly targeting issue #39870. Issue #39870 is for a deployment mechanism that we now consider deprecated. We still need an issue for this PR and discuss the potential solutions there. I would also create more specific issues for making kubefed work without load balancer addresses, for making it work without PV dynamic provisioning and optionally create an umbrella issue to track all of them for non-cloud environments. But note that these features are not necessarily specific to non-cloud environments. It might as well apply to cloud environments where the provider doesn't support the features provided by other providers. This is also the reason why having a catch-all In any case, I agree that we need an issue to discuss all these. |
|
@madhusudancs I disagree that #39870 isn't applicable. The issue, whether it is the docs or the new, is that the build/deploy is too cloud dependent and kubefed as it is now doesn't solve that problem, hence this PR. Additionally, the issue with using images from source is the same if kubefed is used or not. |
|
@madhusudancs I agree that it makes sense to tackle the flags separately. The issue @shashidharatd created is probably as good a starting point as any: #40536 |
|
@rrati we acknowledge that kubefed doesn't work in non-cloud scenarios and hence this PR. @marun this PR is a good starting place, but it isn't sufficient. We need a place where we discuss potential solutions and then account for it. PRs are Ok, but I have rarely seen people going back to PRs for archaeology. Issues give a good overview of the problem in question and the potential solutions considered without distractions such as "fix this formatting error" or "move this function to a different package". |
|
@madhusudancs Thank you for the clarification, I think that is the best approach. I wasn't sure whether the PR could proceed without an issue, but had encouraged @shashidharatd to create issues in both this PR and #40528 anyway. In response to that discussion, he went ahead and created the issue I referred to in my last comment (#40536) and I meant that it would be a good starting point for the umbrella issue. |
|
@shashidharatd I think it makes sense to target this PR at #39271, which implies that the scope be limited to supporting other methods of exposing the federation control plane. The discussion of how best to address the issue should occur there as per @madhusudancs. |
shashidharatd
force-pushed
the
kubefed-1
branch
from
b33f09c
to
845470e
Compare
shashidharatd
changed the title
|
as suggested by @marun, this pr is now scoped down to just supporting other methods of exposing the federation control plane via nodeport service. |
|
Reviewed 2 of 2 files at r8. federation/pkg/kubefed/init/init.go, line 184 at r1 (raw file): Previously, shashidharatd (Shashidhara T D) wrote…
Ah, makes sense now. federation/pkg/kubefed/init/init.go, line 178 at r2 (raw file): Previously, shashidharatd (Shashidhara T D) wrote…
I would just leave this out for this PR. There are already too many things going on here. federation/pkg/kubefed/init/init.go, line 368 at r4 (raw file): Previously, shashidharatd (Shashidhara T D) wrote…
Yeah, leave it the way it is now. federation/pkg/kubefed/init/init.go, line 790 at r6 (raw file):
I am now worried about not printing all the endpoints in the non-NodePort case. Can we please bring that back for non-NodePorts? For NodePorts, if there is more than one IP, please add an ellipsis. Some that looks like federation/pkg/kubefed/init/init.go, line 393 at r7 (raw file): Previously, shashidharatd (Shashidhara T D) wrote…
Thanks for verifying. federation/pkg/kubefed/init/init.go, line 269 at r8 (raw file):
Can you please explain here in the comments that the Comments from Reviewable |
k8s-github-robot
added
the
needs-rebase
shashidharatd
force-pushed
the
kubefed-1
branch
from
61caac4
to
03928df
Compare
k8s-github-robot
removed
the
needs-rebase
|
@madhusudancs handled your latest comments and rebased. PTAL Review status: 1 of 4 files reviewed at latest revision, 12 unresolved discussions. federation/pkg/kubefed/init/init.go, line 790 at r6 (raw file): Previously, madhusudancs (Madhusudan.C.S) wrote…
Handled. PTAL federation/pkg/kubefed/init/init.go, line 269 at r8 (raw file): Previously, madhusudancs (Madhusudan.C.S) wrote…
Done. Comments from Reviewable |
|
/lgtm Reviewed 1 of 3 files at r9. Comments from Reviewable |
k8s-ci-robot
added
the
lgtm
|
Reviewed 1 of 4 files at r5, 2 of 3 files at r9. Comments from Reviewable |
k8s-github-robot
added
the
do-not-merge
madhusudancs
added
release-note
|
@shashidharatd please add a release note and I will approve the PR. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: ixdy, madhusudancs, shashidharatd Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
madhusudancs
added
the
do-not-merge
|
@madhusudancs Added release notes. PTAL. Thanks |
|
@shashidharatd don't think about release note like the way you think about commit logs. These are targeted for users. Make it sound something like this. """ |
|
Thanks @madhusudancs for the suggestion. Have updated the release notes. PTAL |
madhusudancs
removed
the
do-not-merge
|
@shashidharatd thanks! |
|
@shashidharatd: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue |
What this PR does / why we need it:
This PR adds an option to kubefed to expose federation api server over nodeport. This can be useful to deploy federation in non-cloud environments. This PR is target to address #39271
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Release note:
@kubernetes/sig-federation-misc @madhusudancs